Skip to main content

Security

Built for the trust requirements
of academic publishing.

Publishers, libraries, and universities depend on ZenPub for content that matters. Here is how we protect it — at the infrastructure, application, and data layer.

Compliance & certifications

Standards we comply with

COUNTER 5.1

Compliant

TR, DR, IR, PR reports + SUSHI R5.1 API

GDPR

Compliant

DPA available; SCCs Module 2 for international transfers

WCAG 2.2 AA

Compliant

Accessible reading interface and admin panel

Readium LCP

Compliant

EDRLab-standard EPUB DRM implementation

SOC 2 Type II

In progress

Audit scheduled for Q4 2026

ISO 27001

Roadmap

Planned following SOC 2 completion (2027)

Platform security

Security from the database layer up

Tenant isolation

  • PostgreSQL row-level security (RLS) — every query is scoped to the requesting tenant's organisation ID at the database layer, not the application layer
  • Separate S3 key prefixes per tenant with signed URLs that expire in 15 minutes — cross-tenant content access is architecturally impossible
  • Tenant slug validation on every API request via middleware before any controller logic runs

Authentication & access control

  • JWT tokens with short expiry (15 min access / 7 day refresh) using a stable production secret
  • Timing-safe token comparison (Node.js crypto.timingSafeEqual) to prevent timing side-channel attacks
  • Role-based access control enforced at both controller and guard level — admin, editor, and viewer roles
  • SSO/SAML 2.0 and IP-range authentication for institutional access, with per-collection access rules
  • Sitewide rate limiting via NestJS ThrottlerGuard; contact form limited to 3 requests per 60 seconds

Content protection (DRM)

  • LCP (Lightweight Content Protection) DRM for all EPUB files — industry standard for ebook distribution
  • EC P-256 private key for LCP license signing, stored as a stable environment secret (never ephemeral in production)
  • Signed, time-limited S3 URLs for PDF delivery — direct S3 access is disabled
  • Content streamed directly from CDN edge — Zentrovia infrastructure is never a bottleneck in the read path

Data security

  • Encryption at rest: AES-256 on all S3 objects and database volumes
  • Encryption in transit: TLS 1.2+ enforced on all connections
  • Sensitive credentials (API keys, service account JSONs) stored encrypted in the database
  • COUNTER 5.1 access logs are aggregated and anonymised at the user level — no identifiable reading history retained beyond 90 days without explicit consent
  • Patron annotations and bookmarks are private to the individual user by default

Infrastructure

  • Hosted on AWS (primary) and Railway/Vercel for application layer — all within major cloud providers with SOC 2 Type II certification
  • Database backups taken daily with 30-day retention
  • Automated dependency scanning via Dependabot on all repositories
  • Production environment variables are never committed to source control
  • Security patches applied within 24 hours of critical CVE disclosures

Input validation & web security

  • All HTML email templates use explicit escaping to prevent XSS injection via user-supplied fields
  • SMTP header injection prevented by stripping newline characters from all email header fields
  • SQL injection prevented by TypeORM parameterised queries throughout
  • File upload validation: MIME type allowlist, 5 MB cap on branding assets, content-type verification
  • CORS configured to explicit origin allowlist — no wildcard origins in production

Penetration testing

Independent security testing, semi-annually

Last penetration test

Q2 2026 — conducted by independent third party

Scope

Web application, API endpoints, authentication flows, file upload

Critical findings

0 critical, 0 high — 2 medium findings remediated within 7 days

Next scheduled test

Q4 2026 (semi-annual schedule)

Pentest reports

Available to Enterprise customers and procurement teams on request under NDA

Data residency

Choose where your data lives

All regions use AWS infrastructure. Region selection is available on Enterprise plan.

🇪🇺

European Union

AWS eu-west-1 (Ireland) — data does not leave the EU by default for EU customers

🇬🇧

United Kingdom

AWS eu-west-2 (London) — available on Enterprise plan

🇮🇳

India

AWS ap-south-1 (Mumbai) — available on Enterprise plan

🇺🇸

United States

AWS us-east-1 (N. Virginia) — default region for US customers

🌐

Custom region

On request

Other AWS regions available for Enterprise customers on request

Enterprise procurement

We support enterprise and institutional procurement processes including security questionnaires, vendor risk assessments, DPA countersignatures, and custom NDA agreements.

  • Security questionnaire responses (CAIQ, SIG, bespoke)
  • Signed DPA available within 5 business days
  • Pen test reports under NDA
  • Sub-processor list with security credentials
  • Business Associate Agreement (BAA) for HIPAA contexts
  • Cyber insurance certificate on request
security@zentrovia.tech →

Responsible disclosure

We take security reports seriously. If you discover a vulnerability in the ZenPub platform, please report it privately before disclosing publicly. We commit to acknowledging receipt within 24 hours and providing a fix timeline within 72 hours for critical issues. We do not pursue legal action against good-faith researchers.

Report a vulnerability

security@zentrovia.tech

Include steps to reproduce, affected components, and potential impact.

Security — ZenPub